Due to their enormous code-base, client side network applications have become a significant risk to the operating system and their users. Unfortunately, signature based antivirus and intrusion detection systems are ineffective in preventing new attacks. In addition, current application sandboxing mechanisms are either not strong enough or hard to deploy to the end user's desktop.
Currently, network applications have become the new attack vector posing significant risk to end-user's computing environment. These applications increasingly operate on untrusted sources of data and code. For example, a typical user uses a web browser for multiple tasks such as: reading news, performing on-line banking, shopping on-line or playing on-line games, all in the same session. If any of the web sites visited by the user hosts malicious software, the web browser or the user's computer may become compromised. Once compromised, the user may lose control to a malicious remote controller who can use the computer as he wishes. Typical cases of malware can transform the infected computer into a remotely controlled bot as part of a larger bot collective. Spam, hosting malicious software, stealing personal and sensitive data including user IDs and passwords for banking sites are just a few among many observed uses of infected machines.
This kind of attack is called an intra-application attack because it uses just one application. Cross-site scripting attacks belong to this class and one recent example happened on Gmail. Drive-by downloading is another common intra-application attack for web browsers, and researchers from Google have found many malicious URLs containing drive-by downloads on the Internet.
Another kind of attack is inter-application attacks which utilizes more than one application. In this case, the attacker can put the malicious content in a video file and allure the user to open it. Since Windows Media player uses Internet Explorer (IE) as the browser, even if the user installed Firefox as the default browser, the malicious video file can exploit the vulnerabilities of IE without the user's knowledge.
Standard defenses against these Internet-borne attacks employ antivirus software, personal firewalls, spyware detectors, and intrusion detection systems. Anti-virus software and IDSs are normally signature based and can detect known attacks. However, they are inefficient in detecting new attacks and dealing with polymorphic viruses. Personal firewalls are susceptible to being disabled by kernel-level rootkits.
Sandboxing is another method to protect the end user's computer. Different levels of sandboxing are feasible, ranging from language software fault isolation, process level system call mediation, to hardware virtualization. Unfortunately, language and process level sandboxing are susceptible to bypass, and current hardware virtualization sandboxing, such as the Tahoma system, separates the applications as well as the data that they usually share, therefore sacrificing usability. In addition, the Tahoma browser needs help from the web server, only protects the browser applications and is hard to deploy.
What is needed is a clean and isolated environment for instances of network applications to run in combination with a detection mechanism that can detect, act upon and report unauthorized intrusions into the isolated environment.